Creating a ClusterIssuer

I am going to create a ClusterIssuer, I’d can create a Issuer, but I’ve started with a ClusterIssuer. What is the best alternative? This depen of our deployment and requirements to future, mostly in the namespace situations

Modifying my ingress resource created previously

Now that I’ve created our Let’s Encrypt staging ClusterIssuer, I am ready to modify the Ingress Resource we created above and enable TLS encryption for the test1kongletsencrypt.possibilit.nl paths adding the following

I am going to add certmanager.k8s.io/cluster-issuer: letsencrypt-staging annotation and use the secret created with the letsencrypt-staging ClusterIssuer named letsencrypt-staging

I can see that my order issue is not completed, only was created in the OrderCreated event, and this order already have 7 minutes since I’ve created this certificate and the order was not completed and by that reason the certificate is not issued successfully

Another thing that happens to me, is that the letsencrypt-staging secret created by the letsencrypt-staging cluster Issuer and their respective certificate, only have the tls.key:

According to I understand, is that if the letsencrypt certificate complete the order and the certificate is issued, in the letsencrypt-staging secret I would have one tls.crt key and maybe my letsencrypt-staging will be of tls type and not Opaque?

When I see the logs of my cert-manager pod I get the following output, I think that the http challenge is not executed:

I get this message No existing HTTP01 challenge solver pod found for Certificate "default/letsencrypt-staging-2613163196-0"
According to this, I decide add the certmanager.k8s.io/acme-challenge-type: http01 annotation to my kong-ingress-zcrm365 ingress but nothing happened … my ingress is updated, but nothing more.

All this process confirms that the TLS certificate was not successfully issued and HTTPS encryption is not active for my domains test1kongletsencrypt.possibilit.nl configured.

This make that my letsencrypt-staging certificate have a Status:False, and the order created event does not advance to completed to be issued.

I’ve heared that letsencrypt-staging environment only have test certificates and these are a kind of ‘fake certificates’ and maybe some clients like my chrome/firefox browser doesn’t trust certificate issuer …

Is this a reason to I cannot enable https encryption on my domain?
In affirmative case, should I change from staging environment to production environment?

The quickest way to ask a question is to first post on our Slack channel (#cert-manager) on the Kubernetes Slack. There are a lot of community members in this channel, and you can often get an answer to your question straight away!

Hi @cpu Yes, I understand, I did want to put the question here because it’s related with the letsencrypt process too. I was thinking that maybe someone wants support me. Of anyway I understand that you says.

I’ve applied this acme-kong-kube-helpergithub.com/ollystephens/acme-kong-kube-helper in order to solve the http01 validation problem in staging environment, and all it’s works. When the http01 validation to be performed, is necessary use the letsencrypt production environment to get the https encryption

The problem is mainly that cert-manager have some problems to work with other ingress controller different to nginx. This helper is a temporal solution. Currently cert-manager work in this feature to solve this https://github.com/jetstack/cert-manager/issues/1097